Researchers have noticed the return of the Android banking trojan AbereBot, now know as “Escobar” with advanced malicious features. The most alarming of all functionalities include the capability of stealing Google Authenticator MFA codes. This feature allows the malware to bypass secure logins.
AbereBot Android Trojan Transforms Into “Escobar”
According to a recent post from Cyble, the potent Android trojan AbereBot has rebranded as “Escobar” as it adds to its capabilities.
As elaborated, AbereBot is a known banking malware that has targeted over 140 financial institutions and banks across 18 countries. The malware was first discovered in mid-2021 when it mimicked the Chrome browser app to fool victims. It exhibited the typical traits of a banking trojan, like stealing credentials via screen overlays. Now it seems the malware authors have further strengthened it to appear different from previous versions.
The new variant caught the attention of the MalwareHunterTeam when they noticed an app mimicking the McAfee antivirus app. Analyzing it further made them find the package named “com.escobar.pablo”.
Possible interesting, very low detected "McAfee9412.apk": a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f
From: https://cdn.discordapp[.]com/attachments/900818589068689461/948690034867986462/McAfee9412.apk
"com.escobar.pablo"
? pic.twitter.com/QR89LV4jat— MalwareHunterTeam (@malwrhunterteam) March 3, 2022
They then analyzed the malicious app to unveil the details about Escobar malware. As explained, the malicious app asks for dangerous permissions including access to SMS, contacts, storage, call logs, audio, and accessibility service. The trojan abuses these permissions to access OTPs and multi-factor authentication codes.
Moreover, Escobar also exhibits functionalities to disable the keylock and password security features on the device.
In addition, the malware also steals device details, account credentials, emails addresses, and gathers a list of accounts on the device. Also, the malware abuses camera and microphone to record audio and videos, and monitors the device’s screen with VNC viewer.
The threat actors can further send commands to the malware to steal Google Authenticator codes. This new variant also collects the device’s location, steals media files, and injects URLs into target devices. Finally if instructed, the malware can self-destruct, removing any infection traces.
The researchers have shared technical details of the malware in their post.
Stay Wary
The researchers advise users to keep their devices loaded with robust antimalware, use strong MFA measures like biometric locks, downloads apps from the official app stores only, and avoid clicking on phishing links.
Moreover, keeping the device OS updated is also crucial to receive bug fixes and avoid possible exploits.